The book imagines an authoritarian regime maintained by a government that monitors its citizens via their televisions.

But the spying-TV trope appears to be far from fictional, according to a new settlement agreement reached between the Federal Trade Commission and smart-TV manufacturer Vizio. Since 2010, Vizio has sold more than 11 million internet-connected televisions, the FTC says.

According to the FTC's complaint against Vizio, those televisions have been surreptitiously spying on users by recording their television viewing history, IP address, nearby WiFi access points and other details, which Vizio has then sold to third parties.

Vizio will pay $2.2 million to settle the complaint - $1.5 million to the FTC and $1 million to the New Jersey Division of Consumer Affairs, with $300,000 of that amount suspended. As is typical with FTC complaints, defendants who choose to settle - rather than taking the matter to court - do not have to admit any wrongdoing.

A stipulated federal court order signed by Vizio executives now requires the company "to prominently disclose and obtain affirmative express consent for its data collection and sharing practices, and prohibits misrepresentations about the privacy, security, or confidentiality of consumer information they collect," according to the FTC. Vizio must also delete all data collected prior to March 1, 2016, create a data privacy program and submit to having the program assessed biennially.

Vizio couldn't be immediately reached for comment.

Deceptive Practices

The FTC accused Vizio of "engaging in unfair and deceptive acts or practices," in violation of the FTC Act, thus allowing the agency to petition courts to recover "the disgorgement of ill-gotten monies."

In this case, the disgorgement relates to Vizio's wholly owned subsidiary, Vizio Inscape Services, formerly known as Cognitive Media Services. According to the FTC, Vizio Inscape Services "developed proprietary automated content recognition software to detect the content on internet-connected televisions and monitors," which it installed on all of Vizio's televisions beginning in February 2014, and then also remotely installed on previously purchased internet-connected televisions that did not yet have the software. "Defendants' ACR software also periodically collects other information about the television, including IP address, wired and wireless MAC addresses, WiFi signal strength, nearby WiFi access points, and other items," according to the complaint.

The FTC says this information has been sold to third parties for four purposes:

Audience measurement: Tracking what consumers are watching, and how, second by second;

Analyzing advertising effectiveness: Tracking how many users visit a website for a product after seeing a related advertisement;

Targeting advertising: Using television viewing data to serve specific types of advertisements to viewers;

Identifying viewers: Providing IP addresses to data aggregators allows them to identify specific consumers or households and then share this information, so that the "sex, age, income, marital status, household size, education, home ownership and household value" of the individual or household can be ascertained.

Those who purchased Vizio televisions were given no notice that tracking software was installed, the FTC says. For televisions that had the software remotely installed in February 2014, post-purchase by Vizio, the FTC says that a pop-up notification then appeared on screen that read:

The VIZIO Privacy Policy has changed. Smart Interactivity has been enabled on your TV, but you may disable it in the settings menu. See www.vizio.com/privacy for more details. This message will time out in 1 minute.

As noted, however, the message was displayed for only 60 seconds, and there was no guarantee that it would be seen, seen by an adult or that its message would be understood.

By March 2016, when the FTC was investigating these practices, Vizio crafted another pop-up message, which told the viewer that their television viewing data was being collected. But that message disappeared after 30 seconds, the FTC says. For viewers who looked up "smart interactivity" in their manual, furthermore, the definition stated only: "Your TV can display program-related information as part of the broadcast." But it made no reference to people's viewing data being collected, stored indefinitely or being sold to third parties.

Automatic Content Recognition Technology Warning

The FTC's settlement agreement is the result of a 2015 report in Consumer Reports magazine warning that so-called smart TVs - internet-connected devices that include microphones and cameras - built by the likes of LG, Samsung and Vizio included automatic content recognition technology that was "collecting and sharing user data on a fairly massive scale."

Those revelations led to Vizio being slapped with two class-action lawsuits. Meanwhile, security firm Avast warned that the content recognition technology in Vizio smart TVs could be exploited to launch a man-in-the-middle attack, enabling attackers to then potentially exploit anything connected to the home network.

In 2015, Avast detailed how hackers could exploit Vizio smart TVs to gain access to home or office networks, for example by injecting a malicious SSID, as shown.

Big Data Worries

These might seem like abstract concerns, except for 2011 and 2012 National Security Agency documents leaked by the publication Intercept in 2015, which showed the U.S. intelligence agency building a big data program code-named Skynet. The name references the artificial intelligence program in the "Terminator" movies that gains sentience and then attempts to murder humanity via an army of cyborg Arnold Schwarzeneggers (see Slouching Toward 1984).

In this case, however, the program - if the leaked documents are accurate - attempted to marry travel patterns and behavior-based analytics to try and identify miscreants. There's no indication that the NSA would try an intercept data feeds from smart TVs, but using internet of things devices to study viewing patterns and identify individuals would be an obvious - and potentially privacy-upsetting - move.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.